Hi! I'm Jaeheon Shim, a computer programmer and technology enthusiast who lives in Columbus, Indiana. I like contributing to open-source development projects on GitHub, working on my own web-based applications, and writing articles on my blog Learn The Technology. In my free time, I manage CAMEO's public website and provide free tech assistance to friends and family :).

How Does A Password Work?

October 1, 2018

Your password is the key to your online existence. With it, anyone can gain access to everything that is tied to your name online, regardless of who they actually are. Since a password can unlock your virtual life, companies needed to figure out a way to keep it secure and safe. They needed to make sure that even if someone gained access to their server with malicious intent, they would not be able to access your plaintext password. Read on to find out how scientists have worked long and hard in the effort to make passwords unhackable.

Woah. Did I just say unhackable?

But Jaeheon; surely you must be wrong. Everything is hackable in this world…right?

Yes, and no. If by hacking you mean getting into someones account without their permission, then sure. Anything online can be hacked into(Sorry people who thought they were finally at ease with their cybersecurity problems). But there are many ways to hack into someone’s account, and using their password is only one of them. These ways include phishing, brute force, social engineering, keylogging, password reset compromising, and many, many more. Feeling insecure yet?

The truth is, guessing your password is probably the least common way hackers hack into your account. If you write a program to brute force a password, the system will implement something to stop you from guessing on after a couple of tries, such as a captcha. Programmers are smart after all. You know who isn’t smart? That clueless person on the internet trying to get free v-bucks or some other scam they’ve fallen for. These people usually enter their password in for the hacker, because they need to enter their password for the server to verify their humanity or something. And before you know it, your account is no more.

So how do companies manage to secure their password so securely? Let me explain it from the perspective of a large company, such as our “friend” Google.

Google stores user’s login info on their server. They need a way to make sure that the passwords stored are stored as securely and privately as possible, so they come up with the most reasonable way to do it: don’t store the actual passwords on the server.

Wait… what?! How is that even possible? If the password isn’t stored on the server, where is it stored then? A good company with users’ best intentions in mind should only have customers password stored in one place: the customer’s brain. Storing passwords on servers pose a big security threat. If someone were to hack into the server, they could leak millions of users passwords. Furthermore, a turncoat programmer (a traitor) could easily dump passwords in plaintext form. Storing plaintext passwords on a server is like storing an unlocked phone inside a safe. With today’s technology, hackers can easily break into the safe and steal the phone.

Hashing

To make sure that passwords are not stored in plaintext on servers, a process known as hashing is used. This picture explains it (sort of).

Hashing

When a password is hashed, it is sent into an algorithm that produces a hashed text, also known as a signature. The important part here is that hashing the same password always returns the same signature. When I hash the phrase “Learn The Technology”, the SHA-256 algorithm returns this: 5B45E3FDFC63CA53A05809BAC139DC833063878087123831A7537E1B70B53B19. Go ahead and find an SHA-256 hash calculator online, here are a few:

It doesn’t matter which one you use, each one will always return 5b45e3fdfc63ca53a05809bac139dc833063878087123831a7537e1b70b53b19 This is the process of hashing. Taking a literal such as a string, an integer, or a mix of both, and returning the same value every single time. The length of the hash is always the same as well.

Why is this so secure you ask? The key point of hashing is that it is virtually impossible to get the string that produced the hash. Hashing is a one-way function. Someone who has not read this article will not know that 5b45e3fdfc63ca53a05809bac139dc833063878087123831a7537e1b70b53b19 is the SHA-256 hash of “Learn The Technology” (unless they tried hashing “Learn The Technology” in their own time. If that’s the case… good for them.) So passwords are never stored on a server. The hash is. When you log in and input your password, the password is hashed and compared to the hash stored in the database. If it is equal and everything checks out, you are logged in. And if your password is secure – includes uppercase and lowercase letters, a few numbers, symbols, etc. – you are in luck; your password is unlikely to be cracked.

Can SHA-256 be reversed?

No. The amount of computer power needed is so ridiculous that you would be better off buying the company and getting the user’s data. SHA-256 was designed by top mathematicians from the NSA. If you are math savvy as well, you can read this pdf on how SHA-256 works (You’ll find to your horror that there is an infinite amount of passwords that can unlock your account). If you happen to crack SHA-256, you automatically become known as the greatest scientist of the century. You would also destroy bitcoin, which relies on SHA-256. Don’t waste your time trying to crack it though, because that would be a waste of time.

Given some data you can compute the hash, given the hash it is difficult (and mathematically impossible) to have the data back.

SHA256 verification works by computing it again and comparing the result with the result in records. If both results match, then the verification is successful.

There is a lot more to hashing and password security than I could explain in this article. If you have any questions, leave them in the comments below and I’ll get back to you soon. As usual, don’t forget to subscribe, and be sure to share this article with your friends! (In other words, pass the word around.)